The KUSP Project

1
The KUSP Project

• Kent University Shibbolized Portal
• Bonnie Ferguson
• b.ferguson_at_kent.ac.uk

2
Introduction

• Current situation - Athens
• Federated Access Management
• Shibboleth
• Federations
• KUSP project
• Shibboleth Demo

3
Current situation

• Athens accounts are needed to access many
  resources
• Institutions must create and manage accounts
• Duplicates some user information
• Different usernames and passwords
• AthensDA allows accounts to be handled locally
• Move towards sharing resources Jorum, etc.

4
Athens

• JISC currently subsidise Athens free to
  Universities
• July 2008 - JISC withdraws Athens subsidies
• OpenAthens will be available but at a charge
  (800 - 9500 per year, depending on
  institutional size)
• JISC will fund FAM as replacement

http//www.jisc.ac.uk/publications/publications/pu
b_shibboleth.aspx
5
Services using Athens

• Most Athens services should adopt Shibboleth by
  July 2008.
• Shibboleth-Athens and Athens-Shibboleth Gateways
  to bridge the gap.

http//www.jisc.ac.uk/publications/publications/pu
b_shibboleth.aspx
6
What is Federated Access Management (FAM)?

• Next generation access-management system
• FAM builds a trust relationship between Identity
  Providers and Service Providers. 
• Authentication is devolved to a users home
  institution.
• Attributes about the user (including roles) can
  be exchanged.

http//www.jisc.ac.uk/news/stories/2006/03/access_
qanda.aspx
7
Federated Access Management
http//www.switch.ch/aai/about/introduction/
8
Benefits (1)

• User registers only once with home institution
• Reduces time needed to manage multiple user
  accounts
• New tools for managing licenses and service
  subscriptions.

http//www.switch.ch/aai/about/introduction/ http
//www.jisc.ac.uk/news/stories/2006/03/access_qanda
.aspx
9
Benefits (2)

• Users wont have to remember additional usernames
  and passwords.
• Simplified authentication process may lead to
  increased use of subscribed services.
• Interoperable with other SAML-based software  

10
Where does the word Shibboleth come from?

• The word comes from the Old Testament (Judges
  121-6).
• Two groups from different sides of the river
  Jordan who had different accents. One pronounced
  the sh sound as si.
• To separate friend from foe, those crossing the
  river were asked to pronounce the word
  shibboleth (it means an ear of corn).
• According to the bible, the 42,000 who pronounced
  it sibboleth were killed. 

11
Its also a band
http//www.goshibbolethgo.com
12
But seriously, folks.

• A technology that enables FAM.
• Functionality of Athens DA
• Standards based - SAML (Security Assertion Markup
  Language)
• Open source middleware software
• Privacy-preserving

http//shibboleth.internet2.edu/
13
Shibboleth Architecture
http//www.switch.ch/aai/about/introduction/
14
Shibboleth identity Provider (IdP)

• Uses institutional user database
• Provides authentication
• Sends user attributes
• (aka Shibboleth Origin)

15
Shibboleth Service Provider (SP)

• Shibboleth module protects web-based applications
• Intercepts HTTP requests and redirects to WAYF
  (or a specific Identity Provider) for
  authentication
• Receives ticket/cookie
• Optional additional call for attributes
• (aka Shibboleth Target)

16
What is a Federation?

• A federation is a group of institutions and
  organisations that sign up to an agreed set of
  policies for exchanging information about users
  and resources to enable access and use of
  resources and services.
• Organisations that use Shibboleth to access
  resources must join or create a federation.

http//www.jisc.ac.uk/whatwedo/themes/access_manag
ement/federation/shibboleth.aspx http//en.wikiped
ia.org/wiki/United_Federation_of_Planets
17
Federations

• WAYF (Where are you from?) service
• UK Access Federation (http//www.ukfederation.org.
  uk/)

https//spaces.internet2.edu/display/SHIB/Shibbole
thFederations
18
Joining the UK Access Federation

• Apply in writing
• Signed by Executive Liaison
• Management Liaison must be named
• Agree to be bound by federations Rules of
  Membership

http//www.ukfederation.org.uk/
19
The KUSP Project

• Funded by the JISC Core Middleware Infrastructure
  Early Adopter programme
• January 2006 March 2007
• 1 Developer full time for 1 year

20
What can Shibboleth do for us?

• Athens replacement
• Single Sign on solution?
• Manage authentication for both internal and
  external applications?

21
The KUSP Project - Aims

• Creating a new Shibboleth infrastructure for the
  University of Kent
• Building a Shibbolized portal and VLE with Single
  Sign-on (SSO)
• Investigate PrivilEge and Role Management
  Infrastructure Standards (PERMIS) for portal
  authorisation
• Pushing the envelope
• Providing support to the partners in the
  University of Medway project to adopt Shibboleth

22
Shibboleth Test Environment

• Shibboleth Identity Provider
• Connect to University LDAP
• Shibboleth Service Provider
• Protecting Static Web pages
• Join InQueue Test Federation

23
Shibboleth Where to start?

• Shibboleth Software is free and Open Source
• Help is available!
• Shibboleth Wiki (https//spaces.internet2.edu/disp
  lay/SHIB/)
• MATU Installation guides (http//www.matu.ac.uk/do
  cs/)
• Mailing lists
• (shibboleth-users_at_internet2.edu)

24
Purchases

• Two Sun servers, running Solaris 9
• Shibboleth Identity Provider
• Shibboleth Service Provider
• Licenses for
• WebCT Powerlinks SDK
• WebCT developers network

25
Identity Provider - Software

• Software comes packaged a java .war file.
• We installed it on
• Solaris OS
• Apache Tomcat
• Apache Web Server
• mod_jk

26
Identity Provider - Configuration

• The configuration is stored in several XML files
  in /usr/local/shibboleth-idp/etc by default
• idp.xml - Main configuration file contains
  providerId, information about the federation and
  links to other configuration files
• resolver.ldap.xml - Connection parameters for
  LDAP and list of attributes to retrieve
• arp.site.xml - Attribute release policy - list of
  attributes. Can be configured to release
  different sets of attributes to different
  applications.
• metadata.xml - holds metadata for all the IdPs
  and SPs in the federation and the SSL certificate
  chain. Must be updated regularly!

27
Service Provider

• Shibboleth does not provide its own
  authentication mechanism (out of scope for
  Shibboleth). It can be paired with a range of
  authentication systems
• Apache ltLocationgt directives in httpd.conf (e.g.
  simple HTML page)
• JAAS module - for dynamic web applications like
  WebCT or uPortal that use the attributes of the
  user to display information
• Yale CAS (Central Authentication Service)

http//shibboleth.internet2.edu/docs/draft-interne
t2-shibboleth-requirements-01.html
28
Service Providers One or Many?

• SAML SSO is an end to end protocol between one SP
  and one IdP.
• If you are Shibbolizing multiple applications
  (like uPortal and WebCT), each one requires their
  own Service provider.
• However, Guanxi takes a different approach by
  allowing a single Shibboleth SP for an
  institution with associated guards for each
  application.

29
Service Provider - Configuration

• Configuration files in /opt/shibboleth-sp/etc/shib
  boleth
• shibboleth.xml - main configuration file with
  Federation information, SSL certificate ,
  RequestMap of all applications being protected
  with parameters
• aap.xml - attribute acceptance policy - can set
  rules about the attributes you accept
• metadata.xml same as identity provider

30
Service Provider - Configuration

• 2 files work together to provide Shibboleth
  protection to web resources
• httpd.conf ltLocationgt block
• Shibboleth.xml ltRequestMapgt elements

31
Shibbolizing applications JAAS modules

• uPortal - SpieJaasModule developed by the SPIE
  project at Oxford University (http//spie.oucs.ox.
  ac.uk/)
• WebCT Shibboleth inbound authentication module
  (http//devnet.webct.com/contrib/authentication/Sh
  ibboleth/)
• Many more Blackboard, DSpace, Plone, EZProxy
  (https//wiki.internet2.edu/confluence/display/sea
  s/Home)

32
Java Authentication and Authorization Service
(JAAS)
http//devnet.webct.com/docs/ce6_documentation/Web
CTVista400_sdk30_programmers_guide_2005_11_30.pdf
33
Authentication only

• uPortal and WebCT JAAS modules were basic
• Triggered Shibboleth Authentication
• Retrieved the username attribute
• Set as current user in system
• Used inbuilt (uPortal or WebCT) authorisation

34
PERMIS

• PrivilEge and Role Management Infrastructure
  Standards
• Authorisation (privilege management) system that
  complements existing authentication systems.
• PERMIS web interface -write PERMIS policies

35
PERMIS

• URLs need to be known in advance
• uPortal URLs built on the fly
• http//shibsp.kent.ac.uk/uPortal/tag.f4d450cdb66bf
  1f5...
• http//shibsp.kent.ac.uk/uPortal/tag.a3a580b2d384e
  523...
• Would require additional code to handle
  Authorisation
• Develop JAAS module
• Portal level to call PERMIS when building
  portal pages
• Out of scope of KUSP project

36
Single Sign-On (SSO)

• Specialized form of software authentication that
  enables a user to authenticate once and gain
  access to the resources of multiple software
  systems.
• Kerberos, CAS, CoSIgn, Web-SSO, etc.

http//en.wikipedia.org/wiki/Single_sign-on
37
SSO - Aims

• Integrate WebCT into portal
• Sign into portal and get dashboard view of WebCT
  data

38
SSO - Results

• Shibboleth uses Cookies so SSO happened
  automatically

39
Portal Integration

• IFrame
• Session Display problems

40
Portal Integration

• Vista MyWebCT portlet
• Used proxy authentication module
• Displayed limited dashboard

41
Portal Integration

• Home-grown portlet using web services
• Allows fuller dashboard interface
• Best to extend existing portlet

42
Shibboleth Demo

• http//shibsp.kent.ac.uk/uPortal

43
Findings - Authn not Authz

• Shibboleth for Authentication not authorization
• Personalised systems like portals and VLEs need
  to perform three types of user management
• Authentication
• Authorization/Role management
• Remembering user preferences
• Is it appropriate to externalise this?
• Outside of scope of project to redevelop
  authorization for personalised system such as
  portal or VLE

44
Findings More potential

• Did not use Shibboleths full potential!
• uPortal and WebCT still required user accounts
• uPortal can create these at first login
• Still need to manage these accounts
• Did not use Shibboleth role-based attributes
• Did not use privacy protecting functionality
  (always relied on Username) instead of tickets
  and roles

45
Findings - WebCT

• The WebCT/Shibboleth module was not necessary for
  the Shibbolized portal
• Proxy module was sufficient since it was only
  passing a username instead of using the full
  Shibboleth functionality

46
Findings - SSO

• Shibboleth can handle SSO for web based
  applications
• No extra software required (such as CAS)
• Will investigate for future use

47
Lessons Learned

• Setting up the Shibboleth Identity provider and
  Service Provider was relatively straightforward.
  It is the integration of Shibboleth with existing
  applications that is much more difficult and time
  consuming, so leave plenty of time for this in
  your project plan.
• Keep a Blog or Wiki of the installation
  procedures, lessons learned and other issues.
• Make contact with other projects as early as
  possible.
• Join all relevant mailing lists at the beginning
  of the project and dont be afraid to ask lots of
  stupid questions.

48
Resources

• Shibboleth Wiki (https//spaces.internet2.edu/disp
  lay/SHIB/)
• MATU Installation guides (http//www.matu.ac.uk/do
  cs/)
• SWITCH Installation guides (http//www.switch.ch/a
  ai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-de
  bian.html)
• LSIP project (University of Liverpool)
  Implementation Documentation (http//www.liv.ac.uk
  /LSIP/Documentation/ DraftShib13ImplementationDocu
  ment.html)
• uPortal website http//www.uportal.org
• WebCT (Blackboard) website and developers
  network  http//www.webct.com/ and
  http//devnet.webct.com/
• SPIE project (Oxford University)
  http//www.oucs.ox.ac.uk/rts/spie/
• InQueue Shibboleth federation http//inqueue.inter
  net2.edu/
• FEAR project (Reid Kerr College)
  http//www.reidkerr.ac.uk/fear/docs/ReloadContentP
  review.htm

49
References

• http//shibboleth.internet2.edu
• http//www.jisc.ac.uk/publications/publications/pu
  b_shibboleth.aspx
• http//www.jisc.ac.uk/whatwedo/themes/access_manag
  ement/federation/shibboleth.aspx
• http//www.switch.ch/aai/about/introduction
• http//www.goshibbolethgo.com
• http//en.wikipedia.org/wiki/United_Federation_of_
  Planets
• https//spaces.internet2.edu/display/SHIB/Shibbole
  thFederations
• http//www.ukfederation.org.uk/
• http//shibboleth.internet2.edu/docs/draft-interne
  t2-shibboleth-requirements-01.html
• http//sec.isi.salford.ac.uk/permis/

50
Any questions?

• http//www.kent.ac.uk/is/kusp
• b.ferguson_at_kent.ac.uk

51
Discussion

• How long will FAM take to implement?
• How much will it cost?
• What impact on service?
• Changes to training and documentation required?
• Support moved from Library to Computing Service?
• Could OpenAthens be a cheaper option?
• What about non-web based resources?